What you need to know today.

A critical unauthenticated stored DOM cross-site scripting vulnerability in the AVideo YPTSocket plugin (CVE-2026-54458) allows any remote attacker to execute arbitrary JavaScript in the context of a victim's browser session by injecting malicious payloads through the page_title broadcast mechanism. With a risk score of 0.52 (high), this flaw requires no authentication and no user interaction beyond viewing the affected page, making it particularly dangerous for streaming platforms that rely on AVideo. The XSS can be leveraged to steal session cookies, exfiltrate sensitive data, or perform actions on behalf of the victim. No patch or mitigation has been publicly detailed as of this writing, and organizations running AVideo with the YPTSocket plugin should treat this as an emergency-priority issue.

A cluster of five local privilege-escalation and information-disclosure vulnerabilities in qSnapper (CVE-2026-41045, CVE-2026-41046, CVE-2026-41047, CVE-2026-41048, CVE-2026-41049) affect versions prior to 1.3.3 and collectively undermine the snapshot-management tool's authentication and authorization model. The most severe of these, CVE-2026-41045, is a time-of-check-time-of-use race condition in polkit authentication that lets a local attacker bypass qSnapper's auth mechanism entirely and operate as root. Others include incorrect caching of authentication between users (CVE-2026-41049), missing auth on snapshot-diff functions that leak protected data (CVE-2026-41047), and a path-traversal bug in configName handling (CVE-2026-41046) that can lead to denial of service or root privilege escalation. All five are fixed in qSnapper 1.3.3, and Linux desktop users running snapshot-based backup workflows should upgrade immediately.

IBM disclosed a wave of vulnerabilities across WebSphere Application Server and Liberty, including an authentication bypass in JAX-WS applications (CVE-2026-10845), HTTP request smuggling (CVE-2026-8646), server-side request forgery via the Ajax Proxy (CVE-2026-9006), and two denial-of-service flaws (CVE-2026-9071, CVE-2026-9320). The authentication bypass is the standout: CVE-2026-10845 affects WebSphere 8.5 and 9.0 and could let a remote attacker gain unauthorized access to JAX-WS endpoints without valid credentials. The SSRF and request-smuggling bugs add further attack surface for enterprise deployments. IBM has not yet released patch details for all CVEs, but administrators should review their WebSphere configurations and apply interim fixes as they become available.

A critical missing-authorization vulnerability in Google Cloud Console's App Engine GraphQL API (CVE-2026-8934) allowed an unauthenticated remote attacker to leak sensitive App Engine request logs from other projects. As Cyber Security News reported, a researcher exploited this flaw using AI-assisted techniques and earned a $500,000 bug bounty — one of the largest payouts in Google's history. The vulnerability demonstrates the growing risk of GraphQL API misconfigurations in cloud consoles, where a single missing authorization check can expose cross-tenant data. Google has since remediated the issue, but the incident underscores the importance of rigorous GraphQL authorization audits for any organization exposing private APIs.

Two authenticated stored XSS vulnerabilities in Akaunting 3.1.21 (CVE-2026-11942, CVE-2026-11943) allow users with record-creation or profile-editing privileges to inject persistent JavaScript. CVE-2026-11942 targets the reusable delete-confirmation flow, where a user can store malicious HTML/JavaScript in record names such as Items. CVE-2026-11943 exploits the document timeline on invoice and bill detail pages by injecting payloads into the user's own profile name. While both require authentication, the widespread use of Akaunting as an open-source accounting platform means that a single compromised low-privilege account could lead to session hijacking or data exfiltration against other users viewing those records. No patch has been announced.

The Angular Language Service VS Code extension disclosed two vulnerabilities (CVE-2026-50178, CVE-2026-49241) that could allow malicious Angular template tooltips or custom TypeScript SDK paths to execute arbitrary code in the extension's context. CVE-2026-50178 stems from the extension configuring the Markdown tooltip renderer with isTrusted: true, enabling XSS-like attacks through crafted template hover information. CVE-2026-49241 involves the extension reading custom TypeScript SDK paths (typescript.tsdk and jsdoc.tsdk) from workspace settings without sufficient validation, potentially allowing a malicious repository to execute arbitrary code when a developer opens it. Both are fixed in extension version 21.2.4. Developers using the Angular Language Service should update their VS Code extension immediately, as these flaws could be weaponized through shared repositories or malicious npm packages.